[Ach] SSH-Options for Cisco IOS and ASA

Karsten Iwen ki at iwen.de
Tue Dec 17 14:36:56 CET 2013

Hi all,

what about the following addition to the SSH-Section:

-------------------------- start --------------------------
*Cisco ASA*
Tested with version: 9.1(3)
When the ASA is configured for SSH, by default both SSH versions 1 and 2 are allowed. In addition to that, only a group1 DH-key-exchange is used. This should be changed to allow only SSH version 2 and to use a key-exchnage with group14. The generated RSA key should be 2048 bit (the actual supported maximum). A non-cryptographic best practice is to reconfigure the lines to only allow SSH-logins.

crypto key generate rsa modulus 2048
ssh version 2
ssh key-exchange group dh-group14-sha1
line vty 0 4
  transport input ssh

Reference: http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/admin_management.html

*Cisco IOS*
Tested with version: 15.0, 15.1, 15.2

Same as with the ASA, also on IOS by default both SSH versions 1 and 2 are allowed and the DH-key-exchange only use a DH-group of 768 Bit.
In IOS, a dedicated Key-pair can be bound to SSH to reduce the usage of individual keys-pairs.

crypto key generate rsa modulus 2048 label SSH-KEYS
ip ssh rsa keypair-name SSH-KEYS
ip ssh version 2
ip ssh dh min size 2048

Reference: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_shell_v2.html

--------------------------- end ---------------------------

Although the IOS can use up to 4096 Bit both for RSA-keys and also for the DH-Key-exchange in SSH, I typically still use 2048 Bit because I ran into problems multiple times with older clients some time ago. In my opinion 2048 Bit is ok as it has "enough Security" at the moment. For a general recommendation of the maximum bitlength more tests are needed.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 671 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131217/ac473cb3/attachment.sig>

More information about the Ach mailing list